b'SYSTEM ACCESS BY CONTRACTORS\nWITHOUT SECURITY CLEARANCES\n\n\n\n\n           Report Number 09-07\n       Date Issued: January 26, 2009\n\n\n\n\n               Prepared by the\n         Office of Inspector General\n     U. S. Small Business Administration\n\x0c           U.S. Small Business Administration\n           Office Inspector General                                 Memorandum\n    To:    Christine Liu                                                                  Date:   January 26, 2009\n           Chief Information Officer\n           /s/ original signed\n  From:    Debra S. Ritt\n           Assistant Inspector General for Auditing\n\nSubject:   System Access By Contractors Without Security Clearances\n           Report No. 09-07\n\n           This report supplements our evaluation of the Federal Information Security\n           Management Act (FISMA) implementation for Fiscal Year 2008. The Office of\n           Inspector General (OIG) is required to annually assess SBA\xe2\x80\x99s compliance with\n           FISMA in accordance with specific reporting instructions issued by the Office of\n           Management and Budget (OMB).1 During the course of our FY 2008 FISMA\n           review, we determined that SBA did not consistently ensure that contractors were\n           properly vetted prior to granting them access to sensitive SBA systems and data.\n           This vulnerability was not consistently reported and tracked in SBA\xe2\x80\x99s Plan of\n           Action and Milestones (POA&M).\n\n           In order to assess security controls over contractor access, we reviewed SBA\n           access requirements outlined in Standard Operating Procedure (SOP) 90 47 2. We\n           also requested the names of contractors with access to all hosted applications2 on\n           the following 10 systems:\n\n           [FOIA ex. 2\n\n\n\n\n           1\n               Memorandum 08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and\n               Agency Privacy Management.\n\n           2\n               These included applications in both production and test environments.\n\x0c]\n\nWe compared contractor names to Agency and OIG records and interviewed the\nappropriate Agency representatives to determine whether background\ninvestigations and clearances had been completed for contractor staff. To\ndetermine whether SBA appropriately identified and corrected vulnerabilities\ninvolving unauthorized contractor access, we reviewed OMB Memorandum M-\n04-25 requirements and the Agency\xe2\x80\x99s POA&M quarterly reports for FY 2008.\nOur review was conducted in accordance with the Government Auditing Standards\nas prescribed by the Comptroller General of the United States.\n\nBACKGROUND\n\nOMB Circular A-130 requires Federal agencies to screen individuals applying for\naccess to government data and systems based on the level of risk presented by\ntheir access. SOP 90 47 2 classifies all SBA data as sensitive and requires all\ncontractor personnel to undergo background investigations. In addition, contractor\npersonnel occupying positions designated as critical-sensitive cannot be given\naccess to sensitive data until an appropriate security clearance has been granted.\nSBA requires that SBA Form 1228, Computer Access Clearance/Security, be used\nto request all network account access for new contractor employees.\n\nCurrently, the Contracting Officer\xe2\x80\x99s Technical Representatives (COTRs) assigned\nto each program office are responsible for identifying all contractor personnel who\nrequire access to SBA systems and records. 3 The COTR submits system access\nrequests to the OIG Security Office, which performs the preliminary background\nchecks. After the OIG completes the background check, the signed access request\nis sent to the appropriate staff for processing. The contractor may then be granted\ntemporary system access pending the completion of the full clearance process.\n\n\n\n\n3\n    SBA Procedural Notice 9000-1684, SBA Form 1228 Process.\n\n\n                                                      2\n\x0cRESULTS\n\nSBA Granted System Access to Contractors Who Lacked the Required\nBackground Investigations and Security Clearances\n\nContractor employees were granted access to sensitive SBA systems and data\nwithout evidence of completed background investigations and security clearances,\nas required by SOP 90 47 2. Of the 10 systems reviewed, we identified 6 that\nwere accessed by contractors, who did not have the required background\ninvestigations and clearances:\n\n      \xe2\x80\xa2 [FOIA ex. 2] \xe2\x80\x93 Five of seven contractors were found to occupy sensitive\n        positions, such as Systems Administrator, without background\n        investigations and subsequent clearances. In some cases, the contractors\n        had access to both production and test data.\n\n      \xe2\x80\xa2 [FOIA ex. 2] \xe2\x80\x93 One of four contractors lacked evidence of a background\n        investigation and clearance.\n\n      \xe2\x80\xa2 [FOIA ex. 2] \xe2\x80\x93 All 33 contractors lacked a background investigation and\n        clearance.\n\n      \xe2\x80\xa2 [FOIA ex. 2] \xe2\x80\x93 Two of nine contractors did not have evidence of a\n        background investigation and clearance.\n\n      \xe2\x80\xa2 [FOIA ex. 2] \xe2\x80\x93 All 18 contractors lacked a background investigation and\n        clearance.\n\n      \xe2\x80\xa2 [FOIA ex. 2] \xe2\x80\x93 One of three contractors did not have an SBA\n        background investigation and clearance.\n\nAlthough SBA procedures require a background investigation and SBA\nauthorization for all contractors accessing SBA data, not all COTRs were aware of\nthis requirement, and instead, relied on vendors to clear their own employees for\naccess. For example, the COTRs for [FOIA ex. 2] and the [FOIA ex. 2] were\nunaware of the SBA background investigation and clearance requirements until\nthe OIG made inquiries. As a result, critical and sensitive SBA systems and data\n(including Personally Identifiable Information) were at risk of unauthorized access\nand subsequent waste, loss, and misuse.\n\nOnly four of the six systems we identified were reported as having contractor\naccess-related vulnerabilities on SBA\xe2\x80\x99s POA&M. Access vulnerabilities\n\n\n                                        3\n\x0cassociated with [FOIA ex. 2] and [FOIA ex. 2] were not reported. The POA&M\nalso identified an additional five systems as having vulnerabilities associated with\ncontractor access, which, with the exception of [FOIA ex. 2], we did not review.\nThese systems included the:\n\n         \xe2\x80\xa2    [FOIA ex. 2];\n         \xe2\x80\xa2    [FOIA ex. 2]4;\n         \xe2\x80\xa2    [FOIA ex. 2];\n         \xe2\x80\xa2    [FOIA ex. 2]; and\n         \xe2\x80\xa2    [FOIA ex. 2]\n\nSBA Did Not Consistently Report Vulnerabilities Involving Unauthorized\nContractor Access\n\nOMB Memorandum M-04-25 requires agencies to prepare a POA&M for all\nprograms and systems where an IT security vulnerability has been found and to\nbrief OMB. Program officials are further required to update the Agency\xe2\x80\x99s Chief\nInformation Officer (CIO) on the status of their progress in addressing the\nvulnerabilities by reporting this information in the POA&M at least quarterly so\nthat the CIO can monitor agency-wide remediation efforts. Additional Federal\nguidance requires system owners to perform timely corrective actions to address\nthe vulnerabilities.5\n\nDespite these requirements, system owners did not consistently identify and/or\naddress identified vulnerabilities associated with contractor access to sensitive\nSBA systems and data. A review of quarterly POA&Ms for FY 2008 disclosed\nthat unauthorized contractor access to the 11 systems on the POA&M were not\nconsistently reported as vulnerabilities and that the vulnerabilities were not\nconsistently prioritized and remediated. A summary of how these vulnerabilities\nwere reported is shown in the following table.\n\n\n\n\n4\n  Our review of [FOIA ex. 2] did not disclose any employees with background investigation/clearance issues. However,\n   the quarterly POA&Ms reported a vulnerability.\n5\n  National Institute of Standards and Technology (NIST) Special Publication 800-37, Guide for the Security\n   Certification and Accreditation of Federal Information Systems.\n\n\n                                                        4\n\x0c    Table 1. Summary of POA&M Vulnerabilities Involving Unauthorized Contractor\n                                    Access\n                                              Disclosure and Rating of Vulnerability\n                        POA&M 1st             POA&M 2nd           POA&M 3rd              POA&M 4th\nSystem6                 Quarter 2008          Quarter 2008        Quarter 2008           Quarter 2008\n[FOIA ex. 2]            Not Reported          Not Reported        Not Reported           Low\n\n[FOIA ex. 2]            Not Reported          Not Reported           High                High\n\n[FOIA ex. 2]            Low                   Low                    Not Reported        Not Reported\n\n[FOIA ex. 2]            Not Reported          Not Reported           Not Reported        Not Reported\n\n[FOIA ex. 2]            Not Reported          Not Reported           Not Reported        Not Reported\n\n[FOIA ex. 2]            Reported, but not     Reported, but not      Reported, but not   Reported, but not\n                        ranked                ranked                 ranked              ranked\n\n[FOIA ex. 2]            Medium                Medium                 Medium              Medium\n\n[FOIA ex. 2]            Medium                Medium                 Medium              Medium\n\n[FOIA ex. 2]            High                  High                   Vulnerability       Vulnerability\n                                                                     Remediated          Remediated\n[FOIA ex. 2]            Not Reported          Not Reported           Medium              Medium\n\n[FOIA ex. 2]            Not Reported          Not Reported           High                High\n\nSource: OCIO quarterly POA&M reports for FY 2008.\n\nFor example, SBA did not report a vulnerability related to unauthorized contractor\naccess to [FOIA ex. 2] in the first two quarters of 2008, but subsequently reported\nit as a high-risk vulnerability in the last two quarters of 2008. Further,\nvulnerabilities related to contractor access were sometimes rated as a high-risk,\nand other times as medium- or low-risk.\n\nInconsistencies in reporting vulnerabilities associated with contractor access were\ndue to several factors. First, contractors performing Certification and\nAccreditation reviews and security self-assessments of the various systems did not\nconsistently identify improper contractor access as a vulnerability. Secondly,\nbecause OCIO did not provide guidance on how such vulnerabilities should be\nrated, ratings varied. Finally, in preparing the POA&M, OCIO staff did not\nidentify inconsistencies in how the vulnerabilities were being reported and rated,\nand allowed vulnerabilities to be dropped without appropriate documentation.\n\n\n\n\n6\n    Includes general support systems, such as [FOIA ex. 2] and the [FOIA ex. 2].\n\n\n                                                             5\n\x0cRECOMMENDATIONS\n\nWe recommend the Chief Information Officer:\n\n   1. Require system owners to confirm that all contractor personnel with access\n      to sensitive systems and data have background investigations and\n      clearances commensurate with SBA policy.\n\n   2. Immediately suspend system access for any contractors who do not comply\n      with SBA background investigation and security clearance policies.\n\n   3. Work with the Office of Management and Administration to notify COTRs\n      of SBA\xe2\x80\x99s system access requirements related to contractor personnel.\n\n   4. Require that the C&A reviews and the security self-assessments determine\n      whether contractor employees have the required background investigations\n      and clearances for system access.\n\n   5. Develop guidance on how contractor access vulnerabilities should be rated\n      and reported in the quarterly and annual POA&M reports.\n\n   6. Require documentation justifying removal of previously reported\n      vulnerabilities from the POA&M.\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\n\nOn December 16, 2008, we provided a draft of this report to SBA for comment,\nand on January 23, 2009, we received written comments from the Chief\nInformation Officer which are contained in their entirety in Appendix I.\n\nWhile the OCIO agreed to take action on the recommendations, we found that the\nproposed actions to be taken in response to Recommendations 1, 2, 4, 5 and 6\nwere not sufficient to fully address the related findings. We consider the OCIO\nresponse to Recommendation 3 to be sufficient to mediate the related finding.\n\nWe recognize the actions taken by the OCIO staff to address issues that the audit\nteam brought to their attention and look forward to resolution of all findings and\nimplementation of all recommendations.\n\n\n\n\n                                         6\n\x0cACTIONS REQUIRED\n\nBecause your comments did not fully address Recommendations 1, 2, 4, 5 and 6, we\nrequest that you provide a written response by February 20, 2009, providing\nproposed actions and target dates for implementing the recommendations.\n\nWe appreciate the courtesies and cooperation of the OCIO during this audit. If\nyou have any questions concerning this report, please call me at (202) 205-[FOIA\nex. 2] or Jeffrey Brindle, Director, Information Technology & Financial\nManagement Group, at (202) 205-[FOIA ex. 2].\n\n\n\n\n                                        7\n\x0c\x0c'